Around this time last year, network access control (NAC) was the be-all, end-all for network security. Performing pre- and post-admission checks on devices before allowing them access to the network and applications was still a relatively fresh concept.

And, as with every new thing, vendors scrambled and clawed to get their solutions to market and offer a new or different form of NAC, adding in one or two new components, but keeping the rest pretty much status quo.

Now, however, it seems it’s all been done. While many key vendors offer some form of NAC — Cisco, Microsoft, Juniper and others — it’s getting increasingly harder to differentiate between them, since NAC has entered the realm of commoditization. There are also still a number of vendors — Vernier, Nevis and many more — offering point-based NAC appliances and tools to fill the gap, but even those solutions vary in only minuscule ways.

I didn’t really see things that way until a recent chat with Current Analysis senior analyst Andrew Braunberg. While we discussed some additions and enhancements to Juniper’s Unified Access Control (UAC) NAC products, Braunberg quickly pointed out that NAC has gotten to the point where there isn’t much that can be added to it that isn’t already there. Sure, vendors can enhance certain elements and integrate NAC with other tools, but the core functionality of a NAC solution is likely not to change much for a while.

“There’s not really going to be anything new under the sun in the NAC market over the next few years,” he said. “Most of it is already available. Vendors will continue fortifying their NAC solutions.”

I have to agree. It seems the time for radical developments in NAC has stopped. That’s not necessarily a good thing or a bad thing. It just is. I’m curious, however, what that next big NAC development will be a few years from now. I’d like to ask you. Do you have any predictions on where NAC is heading? Do you agree or disagree that NAC solutions have reached a plateau? How will that affect your NAC purchases moving forward?

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

While I agree with you and Andrew Braunberg that the majority of the feature set has been well defined, I definitely don’t agree that this means the market has reached commodity status. Why not?
1) huge disparity amongst products – there’s still really big differences in the capabilities of various products, including who can really do much post-admission control at all – endpoint software- and out-of-band appliance-based approaches cannot see the user traffic and therefore cannot enforce based on what the user is currently doing (the application in use, the destination they’re trying to reach, etc.)
2) lots of vendors making noise – the number’s getting smaller, thankfully, but it’s still an overly crowded space
3) it’s not about pricing – when a market hits commodity status, you compete on price – that’s not happening in deals – customers are definitely having feature set rule the day, which is totally appropriate for something that’s this important (security) and that’s not a commodity
So here’s the funny part – despite thinking NAC’s not close to commodity status, I also don’t think it’s a long-term market. This functionality is critical to the LAN – enterprises of all types need to control who can do what on the LAN. But because the functionality is that fundamental, it won’t stay standalone – instead, these kinds of user-based controls must get built into the fabric of the LAN. Access switches, because they sit close to the user and protect the full scope of the LAN, are the ideal place for this technology. One of our customers, for example, just dumped Cisco Clean Access after struggling with it for a year. The alternative they picked from us? Not our appliance but our switches – they bought more than 50 wiring closet switches to get the control embedded directly in the LAN. You can read more about it here: http://www.networkworld.com/news/2007/100407-cisco-schools-switch.html?t51hb
The future of NAC is as a feature on a switch. And for some enterprises, the future’s already here.
--Michelle
Michelle Rae McLean
ConSentry Networks
mmclean-at-ConSentry-dot-com

After some experience implementing 802.1x NAC with agent based system scan, NAC Appliance with agent scan and other pure switch-based 802.1x installation, I have the following experience.
-- Full NAC implementation is not a network technology, it’s an IT technology. It’s more how to handle PC-patch, Virus update, user control and standard policy. NAC have been pushed by different network companies as a solution to security problem. But security problem does not have its source in the network, it’s the host who are the source. Therefore, anything else then pure 802.1x authentication ‘NAC’ function are more likely to depend on the server, security or client-PC department, then on the network department.
-- When the organization is large enough to have ‘different’ department handle servers, clients, network, security, user support . . . it start to be very hard to implement real NAC with all nice features of scanning each PC before it’s allowed to join the network. This is mostly not a technology problem, it’s an organizational problem, sometime a ‘religious’ problem :-).
-- My recommendation is to go slow and only add one function each time or at least as few as possible. Make it as transparent as possible and tight it up harder and harder over the time. All this should be done after a real deep analyze before you choose a NAC system. How do you support a PC which is ‘logged out’? How will you push out virus update when all your PC’s are ‘off-line’? How will your system really handle VLAN-‘jumping’ if you implement such a system? My conclusion is that you will have surprises from people or system you don’t expect. . . and how about system you did not even think about, like VoIP, heat control system connected to the IP network, survey cameras? Do you know how many ‘strange’ communication product you really have connect at your production line?
-- To me, NAC looks more and more as a tool for the client and virus department. What kind of tool will they have in the future? Tools like MS NAP will probably look much more familiarly to them then any of today’s NAC tools. How will your NAC tool fit with NAP in the future? Maybe you don’t want to be compatible at all with NAP to have some sort of shield against any upcoming NAP-hack? Its question you have to answer before you choose a NAC product.
-- NAC, any sort of NAC incl. NAP, will tight the connection between different IT department in your company. In some way, the troubleshooting will be harder and you will need to keep your documentation more up-to-date then today (most likely :-) If all this fits and you start to get your different IT department to really work together, pick one NAC which suit your need. But if you don’t bring all parts of your IT organization on top of NAC, you will fail. This is not the same situation when you choose switches, routers or routing protocol. It’s not like when you choose virtualization software or server. It’s not like when you choose what client or trouble ticket system to use. NAC will tie most IT groups together for real, are your organization ready for it?
Good luck with NAC. Prepare well, let it take time and you will have your NAC up.
Best Regards
Per Håkansson
SpeedApp AB
per[you know what char]speedapp--se

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

About This Blog

A blog for networking professionals with commentary on the latest news and network management trends.